-
Notifications
You must be signed in to change notification settings - Fork 984
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding chart for AWS' new EKS Pod Identity Webhook #28
Adding chart for AWS' new EKS Pod Identity Webhook #28
Conversation
Thanks @max-rocket-internet! Working on getting images published for this :D |
@@ -0,0 +1,20 @@ | |||
apiVersion: admissionregistration.k8s.io/v1beta1 | |||
kind: MutatingWebhookConfiguration | |||
metadata: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could support be added here to configure annotations
? We've pulled this to use it, but want to use it with self-signed certificates from cert-manager instead.
- name: webhook | ||
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" | ||
imagePullPolicy: {{ .Values.image.pullPolicy }} | ||
command: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could this be updated to also templatize the port being used?
--port={{ .Values.port }}
thanks a lot for this @max-rocket-internet ! If i could ask for one more change, could it be possible to add a |
apiVersion: admissionregistration.k8s.io/v1beta1 | ||
kind: MutatingWebhookConfiguration | ||
metadata: | ||
name: {{ include "aws-pod-identity-webhook.fullname" . }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@micahhausler I think this must be pod-identity-webhook
? I just checked all our clusters and this already exists in each with a webhook called iam-for-pods.amazonaws.com
.
What is supposed to happen here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Judging by what the name here I think we are supposed to overwrite the pod-identity-webhook
one in the cluster?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK now I realise this chart is not to be installed into an EKS cluster because EKS provides this service by default. This chart would be for none-EKS clusters.
If anyone wants extra changes, just create a PR after this is merged. @nckturner I think we merge this and just make users build their own docker images. Then if AWS releases docker images, the chart can be updated? |
Just personally speaking, I don't know if having a chart published that doesn't just "work" out of the box is the best approach. While I'm eagerly awaiting this awesome work, it doesn't introduce an ideal workflow for consuming something in Helm if there's a multi-step approach to have the chart actually apply. Regardless, thanks for the awesome commitment of work on this @max-rocket-internet |
|
||
tolerations: [] | ||
|
||
affinity: {} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please include the following (and add to README values listing):
serviceAccount:
# serviceAccount.create: Whether to create a service account or not
create: true
# serviceAccount.name: The name of the service account to create or use
name: ""
rbac:
# rbac.create: `true` if rbac resources should be created
create: true
# rbac.pspEnabled: `true` if PodSecurityPolicy resources should be created
pspEnabled: false
This matches other charts.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, for other charts, we've just used a generic podAnnotations
value:
https://github.com/aws/eks-charts/blob/master/stable/aws-vpc-cni/values.yaml#L29
eks-charts/stable/aws-vpc-cni/templates/daemonset.yaml
Lines 17 to 21 in 575321f
annotations: | |
{{- range $key, $value := .Values.podAnnotations }} | |
{{ $key }}: {{ $value | quote }} | |
{{- end }} | |
{{- end }} |
Maybe do that for this chart as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK serviceAccount thing is done.
podAnnotations
thing is done.
RBAC is not optional any more I believe and I don't know how to write a PSP so perhaps this can follow in a later PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup, PSP stuff can ceertainly be done in followup
@@ -0,0 +1,24 @@ | |||
tls_secret_name: pod-identity-webhook | |||
annotation_prefix: eks.amazonaws.com |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As you alluded to, EKS already installs the pod identity webhook by default, so this EKS-specific annotation prefix is probably not appropriate as the default for this chart?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Happy to change it but I don't know what for?
prometheus.io/port: "443" | ||
prometheus.io/scheme: "https" | ||
prometheus.io/scrape: "true" | ||
spec: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did you want to templatize the Service's type?
Example:
type: {{ .Values.service.type }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's add this in a later PR
Thanks very much for this submission @max-rocket-internet! Left a few suggestions and comments to address inline but overall, great start. |
@jaypipes OK done. |
|
||
image: | ||
repository: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/pod-identity-webhook | ||
tag: latest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The tag should be a a git SHA or sem ver. With latest, the same replica set could run different "versions" of latest. How would a user suppose to upgrade the chart? Helm will see no changes in the image tag and running helm upgrade
will not start a rolling update.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK I set it to 0.2.0
, the latest release. It's cosmetic anyway as the docker images don't exist yet.
Any update on this? |
prometheus.io/port: "443" | ||
prometheus.io/scheme: "https" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These annotations are incorrect.
The metrics endpoint for these pods is using http
on port 9999
prometheus.io/port: "443" | |
prometheus.io/scheme: "https" | |
prometheus.io/port: "9999" | |
prometheus.io/scheme: "http" |
I will close due to review process being too slow or stalled. |
@max-rocket-internet thow back, but it looks like they have a docker image now: https://hub.docker.com/r/amazon/amazon-eks-pod-identity-webhook |
OK I rebased my branch and opened a new PR (can't reopen this one): #286 |
Note the chart won't run yet as we are still waiting on official docker images: aws/amazon-eks-pod-identity-webhook#5
Related issues:
aws/amazon-eks-pod-identity-webhook#4
aws/containers-roadmap#23
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.